It looks like the normal state of BTRFS is to store the first superblock at 0x10000 (64 KiB), and the second at 0x4000000 (64 MiB). On my test BTRFS partition, everything below 0x10000 is all zeros, so when I run:
sudo hexdump -C -n 0x10100 /dev/sd…
I see roughly this output (being somewhat paranoid, I have stripped out any possible identifying sections):
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00010000 00 00 00 00 00 00 00 00 00 00 00 00 | ............| // only 4-bytes of 32 available
00010010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| // used by crc32c checksum
00010020 | | // 16-byte Filesystem UUID
00010030 00 00 01 00 00 00 00 00 |........ | // 8-byte Address + 8-byte Flags
00010040 5f 42 48 52 66 53 5f 4d |_BHRfS_M........| // 8-byte Magic + 8-byte Gen.
00010050 | | // 8-byte Root + 8-byte Chunk
00010060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| // 8-byte Log + 8-byte TransID
00010070 | | // 8-byte Total + 8-byte Used
00010080 06 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| // 8-byte Objectid + 8-byte Devices
00010090 00 40 00 00 | .@.. | // Sector + Node + Leaf + Stripe
000100a0 | | // Array + Chunkgen + Compat-
000100b0 | | // + CompatRO + Incompat-
000100c0 00 00 | .. | // + Csum_type + Levels + DEV_ITEM-
000100d0 | | // DEV_ITEM continued
000100e0 | | // DEV_ITEM continued
000100f0 | | // DEV_ITEM continued
00010100
The magic number to look for is that text _BHRfS_M
in ASCII, sitting at offset 0x40 within the superblock. The full documentation for the superblock format is on kernel.org:
https://btrfs.wiki.kernel.org/index.php/On-disk_Format
That is strange; as mentioned above the superblock is actually much further within the partition; if you ran the command on a proper BTRFS partition, I think you should have just seen null bytes. For me to see anything, I had to hexdump all the way out to address 0x10100 (512 B more than 64 KiB).
Absurd Hack to Hunt for a Superblock
To try to find the superblock, my crazy solution would be to try:
sudo strings -a -n 8 -t x /path/to/partition | grep _BHRfS_M
and watch to see where/if the superblock magic value shows up.
This is running strings
in scan-the-whole-file mode (-a
), looking for strings 8 bytes long (-n 8
), giving us the location in the file in hexadecimal (-t x
); then piping to grep
, which searches for the particular string we are looking for (_BHRfS_M
).
Next steps
Once we know where the a superblock is, you can hexdump
just the surrounding area with the skip (-s __
) and length (-n __
) arguments.
If we hexdump
a superblock, maybe we can craft a restore command to extract some data?
https://btrfs.wiki.kernel.org/index.php/Restore